The discovery of this issue is significant, as it highlights the potential dangers of using apps that collect and transmit sensitive data without user consent. In this case, Shein’s Android app was able to capture and transmit data from the user’s clipboard, which could include passwords, personal messages, and other sensitive information.
Shein, originally named ZZKKO, is a Chinese online fast fashion retailer based in Singapore. The app, which is currently at version 9.0.0, has over 100 million downloads on the Google Play Store. The discovery of the bug in an older version of the app has raised concerns about the security of Shein’s app and the potential risks to its users.
According to Microsoft 365 Defender Research Team, the issue was caused by an incorrect configuration of the app’s code. This allowed the app to periodically capture and transmit clipboard contents to a remote server without user consent. The researchers found that the captured data was encrypted before transmission, but the encryption method used was weak and could be easily bypassed.
Upon discovering the issue, the Microsoft 365 Defender Research Team notified Shein of the problem. Shein acknowledged the issue and released an updated version of the app that addressed the problem. The updated version, version 7.9.3, was released in May 2022 and is no longer vulnerable to the bug.
While the issue has been addressed, it is important for users to be aware of the potential risks associated with using apps that collect and transmit sensitive data. Users should always be cautious when installing apps, especially those from unknown or untrusted sources. It is also recommended that users regularly update their apps to ensure that they are protected from known security vulnerabilities.
The discovery of a bug in an older version of Shein’s Android app highlights the potential dangers of using apps that collect and transmit sensitive data without user consent. The issue has since been addressed, but it is important for users to remain vigilant when using any app that collects and transmits sensitive data. Shein, as a popular online fast fashion retailer, should take appropriate measures to ensure the security and privacy of its users.
However, the incident raises important questions about the security and privacy of Shein’s Android app. Users should always be cautious when installing apps, especially those from unknown or untrusted sources. It is also recommended that users regularly update their apps to ensure that they are protected from known security vulnerabilities.
As the use of mobile apps continues to grow, so does the need for developers to prioritize security and privacy in their app development processes. Shein, as a large online retailer, should take appropriate measures to ensure that its users’ data is protected from potential security breaches.